9 April 2026
Reddit’s £14.47m Lesson: Complete a Data Protection Impact Assessment (DPIA)!
By Jess Pembroke, Director of Information Law Services
In February 2026, the Information Commissioners Office (ICO) issued a £14.47 million monetary penalty to Reddit for serious UK GDPR failings relating to children’s personal data.
There are lots of issues highlighted in the Monetary Penalty Notice (now the ICO have published it!) these include that Reddit:
- Lacked a lawful basis for processing personal data of children under 13, breaching Articles 5(1)(a), 6 and 8 UK GDPR,
- Relied on weak age gating and self declaration, which the ICO considered inadequate where children could be exposed to harmful or age inappropriate content,
- Did not demonstrate that risks to children had been identified, assessed, or mitigated at design stage, despite operating a platform highly likely to be accessed by minors.
But what fascinates me is the reticence to complete a DPIA, a staple tool in any DPO’s toolkit to document what your organisation is doing and ensure its compliant with the GDPR; however, it took more than three years of regulatory engagement for Reddit to complete a DPIA:
Reddit DPIA: A Short Regulatory Timeline
This was not an oversight or an administrative delay. It was a consistent and deliberate position:
- September 2021: The ICO first asked Reddit whether it had completed a DPIA in preparation for the Children’s Code.
- 2021–2024: Despite repeated requests, including statutory information notices, Reddit maintained that a DPIA was not required because the platform was “aimed at adults”. No child specific DPIA was provided.
- July 2024: The ICO explicitly asked whether Reddit had carried out any DPIAs covering children’s personal data, profiling, or marketing. Reddit confirmed that it had not.
- January 2025: Following sustained regulatory pressure, Reddit began work on a child focused DPIA.
- February 2026: The ICO issued a £14.47m monetary penalty.
Alongside this, another revealing episode unfolded. In May 2025, Reddit agreed to provide the ICO with copies of the Children’s Access Assessment (CAA), Children’s Risk Assessment (CRA) and Illegal Content Risk Assessment (ICRA) it had prepared under the Online Safety Act and shared with Ofcom. On 27 May 2025, Reddit then refused to share those documents with the ICO after all[1].
At times, Reddit’s approach risks looking like the regulatory equivalent of burying your head in the sand, avoiding formal assessment in the hope that uncomfortable conclusions would not have to be confronted. A DPIA would have required Reddit to look directly at evidence it repeatedly sought to sidestep: the likelihood of children accessing the platform, the limitations of self declared age gating, and the foreseeable harms arising from the platform’s design choices. Avoiding a DPIA did not eliminate those risks; it merely delayed their documentation.
Why Reddit’s DPIA position fell apart
The ICO’s Children’s Code should have raised the bar for platforms such as this. It makes clear that where children are likely to access an online service, a DPIA is required because this type of processing is inherently likely to result in high risk to children’s rights and freedoms.
Reddit’s position that it was not required to conduct a DPIA at all. Reddit initially took the position that a DPIA was not necessary because its Platform is “aimed at adults”. In the Representations, Reddit maintained that primary position. It submitted that the Commissioner was wrong to conclude that a child-specific data protection impact assessment was required.
By refusing to complete a DPIA, Reddit deprived itself of the very mechanism designed to identify, assess and mitigate the risks.
Let’s be clear: a DPIA is not a “get out of enforcement free” card. If an organisation is non‑compliant, completing a DPIA will not prevent regulatory action or undo harm. But a properly executed DPIA would have forced Reddit to:
- recognise the high likelihood of children accessing the platform;
- confront the effectiveness of self declared age‑gating;
- consider and document alternative approaches and mitigations;
- build child specific protections into platform features, rather than relying on policy statements;
- demonstrate that its decision making was structured, reasoned and timely.
None of this happened early enough or at all until significant regulatory pressure made avoidance untenable.
How Training Helps Prevent “Reddit Style” Failures
Cases like this consistently expose the same gap: organisations understand that DPIAs exist, but not how to use them properly.
This is exactly why we deliver the Privacy by Design (DPIA) intermediate course at Naomi Korn Associates.
The course focuses on building the practical skills teams need to:
- Identify high-risk processing early
- Assess real-world harms involving children and other vulnerable groups
- Use DPIAs as decision-making tools, not paperwork exercises
- Demonstrate accountability
Book your place on the 22 April (9:30am-1pm) date now via the link above, or contact us for more information!
Conclusion
Reddit has strongly disagreed with the fine and has indicated that it intends to appeal, framing the ICO’s expectations as requiring excessive data collection and conflicting with its wider commitment to user privacy. However, regardless of where that appeal ultimately lands, none of this alters the core point: Reddit should have completed a DPIA at the outset. Disagreeing with a regulator’s interpretation of the risks does not remove the duty to assess risk, document decisions, and demonstrate accountability.
Reddit’s penalty is not just a warning about children’s data. It is a reminder that avoiding documentation, delaying assessment, or assuming a DPIA is optional is itself a risky regulatory strategy and one the ICO is increasingly unwilling to tolerate.